What is claimed is: 

1 . A computer program product for enabling a subsequent user sign-on during a certificate- 
based host accesslsession, said computer program product embodied on a computer-readable 
medium and comprising: 

computer-readable program code means for processing a first sign-on during a secure 
session using a digital certificate, further comprising: 

computer-readable program code means for establishing said secure session from 
a client machine to a server machine using said digital certificate, wherein said digital certificate 
represents an identity of said client machine or a user thereof; 

computer-readable program code means for storing said digital certificate or a 
reference thereto at saial server machine; 

computerlreadable program code means for establishing a session from said 
server machine to a host system using a legacy host communication protocol; 

computer-readable program code means for passing said stored digital certificate 
or said reference from saidl server machine to a host access security system; 

computer-readable program code means, operable in said host access security 
system, for authenticating said identity using said passed digital certificate or a retrieved 
certificate which is retrievedlusing said reference; 

computer-readable program code means for using said passed or retrieved digital 
certificate to locate access credentials for said user; 

computer-readable program code means for accessing a stored password or 
generating a password substitute representing said located credentials; and 
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compurer-readable program code means for using said stored password or said 
generated password substitute to transparently complete said first sign-on to a secure legacy host 
application executing at said host system; and 

computer-readaple program code means for processing a subsequent sign-on during said 
secure session using said\digital certificate, wherein said subsequent sign-on requests access to 
said secure legacy host application or a different legacy host application, further comprising: 

computer-readable program code means for receiving a subsequent sign-on 
request requiring said iden ity; 

computer-readable program code means for retrieving said stored digital 
certificate or reference; 

computer-reidable program code means for passing said retrieved digital 
certificate or reference fromlsaid server machine to said host access security system; 

computer-readable program code means, operable in said host access security 
system, for re-authenticating $aid identity using said passed retrieved digital certificate or 
retrieved reference; 

computer-readable program code means, operable in said host access security 
system, for using said passed retrieved digital certificate or retrieved reference to again re-locate 
said access credentials for saidoiser; 

computer-readable program code means for re-accessing said stored password or 
generating a new password substitute representing said re-located credentials; and 

computer-readable program code means for using said re-accessed stored 
password or said new passwordjsubstitute to transparently complete said subsequent sign-on to 
RSW9-2000-0035-US1 | -43- 



said secure legacy host application executing at said host system or said different legacy host 
application. 

2. The computer program product as claimed in Claim 1 3 wherein said digital certificate is 
an X.509 certificate and said digital certificate reference is a reference to an X.509 certificate. 



3. The computer program product as claimed in Claim 1, wherein said communication 
protocol is a 3270 e nidation protocol. 



4. The computer 
protocol is a 5250 © 



program product as claimed in Claim 1, wherein said communication 
iulation protocol. 



5. The computer program product as claimed in Claim 1 , wherein said communication 
protocol is a Virtual Tqminal protocol. 

6. The computer program product as claimed in Claim 3, wherein said host access security 
system is a Resource Access Control Facility (RACF) system. 



7. The computer progijam product as claimed in Claim 1 , wherein said server machine is a 
Web application server machine. 



8. The computer progrj 
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product as claimed in Claim 1 , further comprising: 
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sign-on information 



computer-readable program code means for requesting by said legacy host application, 
responsive to said computer-readable program code means for establishing said session, first 
or said user; 

computer-readable program code means for responding to said request for first sign-on 
information by sending a first sign-on message with placeholders from said client machine to 
said server machine, saip placeholders representing a user identification and a password of said 
user; 

computer-readacUe program code means for substituting a user identifier associated with 
said located access credentials and said stored password or said generated password substitute for 
said placeholders in saidlfirst sign-on message; 

computer-readable program code means for requesting, by said legacy host application, 
subsequent sign-on information for said user; 

computer-readable program code means for responding to said request for subsequent 
sign-on information by sending a subsequent sign-on message with placeholders from said client 
machine to said server machine, said placeholders representing said user identification and said 
password of said user; and 

computer-readable program code means for substituting said user identifier associated 
with said re-located access crec entials and said re-accessed stored password or said new 
password substitute for said placeholders in said subsequent sign-on message. 



2 



9. The computer program { roduct as claimed in Claim 7, further comprising: 

computer-readable progr am code means for requesting by said legacy host application, 
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responsive to said coihputer-readable program code means for establishing said session, first 
sign-on information forlsaid user; 

computer-readable program code means for responding to said request for first sign-on 
information by supplying a user identifier associated with said located access credentials and said 



stored password or said gi 



nerated password substitute at said server machine; 



computer-readable program code means for requesting, by said legacy host application, 



subsequent sign-on inform 
computer-readable 
sign-on information by sup 



l ation for said user; and 

■ urogram code means for responding to said request for subsequent 
jlying said user identifier associated with said re-located access 
credentials and said re-acce^sed stored password or said new password substitute at said server 
machine. 
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10. A system for enabling a subsequent user sign-on during a certificate-based host access 
session, comprising: 

means for processing a| first sign-on during a secure session using a digital certificate, 
further comprising: 

means for establishing said secure session from a client machine to a server 
machine using said digital certiiicate, wherein said digital certificate represents an identity of 
said client machine or a user thereof; 

said digital certificate or a reference thereto at said server 



machine; 



means for storing 



means for establishing a session from said server machine to a host system using a 
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legacy host communication protocol; 

means for passing said stored digital certificate or said reference from said server 
machine to a host access security system; 

means, operable in said host access security system, for authenticating said 
identity using said passed cpgital certificate or a retrieved certificate which is retrieved using said 
reference; 

means for uj ing said passed or retrieved digital certificate to locate access 
credentials for said user; 

means for accessing a stored password or generating a password substitute 
representing said located cre dentials; and 

means for usi ig said stored password or said generated password substitute to 
transparently complete said first sign-on to a secure legacy host application executing at said host 
system; and 

means for processing a subsequent sign-on during said secure session using said digital 
certificate, wherein said subsequent sign-on requests access to said secure legacy host application 
or a different legacy host app iication, further comprising: 

means for receiving a subsequent sign-on request requiring said identity; 
means for retr eving said stored digital certificate or reference; 
means for passing said retrieved digital certificate or reference from said server 
machine to said host access security system; 



means, operab 
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e in said host access security system, for re-authenticating said 



identity using said passed retrieved digital certificate or retrieved reference; 
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means, operable in said host access security system, for using said passed 
retrieved digital certificate or retrieved reference to again re-locate said access credentials for 
said user; 

means for re-accessing said stored password or generating a new password 
substitute representing said re-located credentials; and 

means foi using said re-accessed stored password or said new password substitute 



to transparently complete 



executing at said host sys tern or said different legacy host application. 



1 1 . The system as cla 
and said digital certificate 



said subsequent sign-on to said secure legacy host application 



med in Claim 10, wherein said digital certificate is an X.509 certificate 
reference is a reference to an X.509 certificate. 



12. The system as claimed in Claim 10, wherein said communication protocol is a 3270 
emulation protocol. 



: T 13. The system as claimed tin Claim 12, wherein said host access security system is a 

2 Resource Access Control Facil ty (RACF) system. 

1 14. The system as claimed i i Claim 10, wherein said server machine is a Web application 

2 server machine. 



1 



15. The system as claimed iiJ Claim 10, further comprising: 
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means for requesting by said legacy host application, responsive to said means for 
establishing said session, first sign-on information for said user; 

means for responding to said request for first sign-on information by sending a first sign- 
on message with placeholders from said client machine to said server machine, said placeholders 
representing a user identification and a password of said user; 

means for substituting a user identifier associated with said located access credentials and 
said stored password or said generated password substitute for said placeholders in said first 



by said legacy host application, subsequent sign-on information for 



sign-on message; 

means for requestin 
said user; 

means for responding to said request for subsequent sign-on information by sending a 
subsequent sign-on message with placeholders from said client machine to said server machine, 
said placeholders representing said user identification and said password of said user; and 

means for substituting paid user identifier associated with said re-located access 
credentials and said re-accessefi stored password or said new password substitute for said 
placeholders in said subsequeni sign-on message. 



16. The system as claimed ih 
means for requesting by 

establishing said session, first 
means for responding to 

identifier associated with said 
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Claim 14, further comprising: 

said legacy host application, responsive to said means for 
on information for said user; 



sign 



said request for first sign-on information by supplying a user 
lcjcated access credentials and said stored password or said 
-49- 



generated password substitute at said server machine; 

means for requesting, by said legacy host application, subsequent sign-on information for 
said user; and 

means for responding to said request for subsequent sign-on information by supplying 
said user identifier associated with said re-located access credentials and said re-accessed stored 
password or said new pass word substitute at said server machine. 

17. A method for enabling a subsequent user sign-on during a certificate-based host access 
session, comprising the steps of: 



processing a first si^ 
comprising the steps of: 

establishing 



s aid secure session from a client machine to a server machine using 
said digital certificate, wherein said digital certificate represents an identity of said client 
machine or a user thereof; 

gital certificate or a reference thereto at said server machine; 
session from said server machine to a host system using a legacy 



on during a secure session using a digital certificate, further 



stored digital certificate or said reference from said server machine to 



storing said dji 
establishing 
host communication protoco 

passing said 
a host access security system 

authenticate , by said host access security system, said identity using said passed 
digital certificate or a retrieved certificate which is retrieved using said reference; 

using said passed or retrieved digital certificate to locate access credentials for 
RSW9-2000-0035-US 1 -50- 



16 
17 
18 
19 
20 
21 
22 
23 
24 



126 

m 

.28 



o 

ft 

32 
33 
34 
35 
36 



said us^r; 

accessing a stored password or generating a password substitute representing said 
located credentials; and 

Ising said stored password or said generated password substitute to transparently 
complete said firsksign-on to a secure legacy host application executing at said host system; and 
processing a subsequent sign-on during said secure session using said digital certificate, 
wherein said subsequent sign-on requests access to said secure legacy host application or a 
different legacy host application, further comprising the steps of: 

receiving aWbsequent sign-on request requiring said identity; 
retrieving said stored digital certificate or reference; 

passing said retrieved digital certificate or reference from said server machine to 
said host access security system; 

re-authenticating\by said host access security system, said identity using said 
passed retrieved digital certificate or retrieved reference; 

using, by said hostlaccess security system, said passed retrieved digital certificate 
or retrieved reference to again re-locate said access credentials for said user; 

re-accessing said stared password or generating a new password substitute 
representing said re-located credent: als; and 

using said re-accessed stored password or said new password substitute to 
transparently complete said subsequent sign-on to said secure legacy host application executing 
at said host system or said different lfegacy host application. 
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18. The method as chimed in Claim 17 5 wherein said digital certificate is an X.509 certificate 
and said digital certificate reference is a reference to an X.509 certificate. 



19. The method as claimed in Claim 17, wherein said communication protocol is a 3270 
emulation protocol. 



20. The method as claimed in Claim 19, wherein said host access security system is a 



Resource Access Contro 



requesting by sai< 1 



session, first sign-on information for said user; 



responding to said 



a user identification and 
substituting a user 



Facility (RACF) system. 



2 1 . The method as claimed in Claim 1 7, wherein said server machine is a Web application 
server machine. 



22. The method as cl aimed in Claim 1 7, further comprising the steps of: 



legacy host application, responsive to said step of establishing said 



request for first sign-on information by sending a first sign-on message 



with placeholders from said client machine to said server machine, said placeholders representing 



password of said user; 

identifier associated with said located access credentials and said 



stored password or said generated password substitute for said placeholders in said first sign-on 



message; 

requesting, by said 
RSW9-2000-0035-US1 



egacy host application, subsequent sign-on information for said user; 
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1 1 responding to said request for subsequent sign-on information by sending a subsequent 

12 sign-on message with placeholders from said client machine to said server machine, said 

1 3 placeholders representing said user identification and said password of said user; and 

14 substituting said user identifier associated with said re-located access credentials and said 

1 5 re-accessed stored password or said new password substitute for said placeholders in said 

1 6 subsequent sign-on message. 

1 23. The method asa claimed in Claim 2 1 , further comprising the steps of: 

2 requesting by smd legacy host application, responsive to said step of establishing said 
v3 session, first sign-on information for said user; 

]t % responding to said request for first sign-on information by supplying a user identifier 

j<5 associated with said located access credentials and said stored password or said generated 

6 password substitute at said seiwer machine; 

"'"-i requesting, by said legacy host application, subsequent sign-on information for said user; 

and \ 

s i) responding to said request for subsequent sign-on information by supplying said user 

10 identifier associated with said re-lpcated access credentials and said re-accessed stored password 

1 1 or said new password substitute atisaid server machine. 
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